There’s a huge discussion around the concepts of Controller/Processor in the scope of clinical trials and while it’s unanimous that a CRO is acting as a Processor for the Sponsor, it’s not yet clear how Sponsor and Sites interact and are defined for the purposes of processing personal data in a clinical trial.

The 29 WP has tried to clarify the situation by issuing an Opinion no. 1/2010 on the concepts of "controller" and "processor" in February 16, 2010, where the following was said:

“Example No. 25: Clinical drug trials

The pharmaceutical company XYZ sponsors some drug trials and selects the candidate trial centres by assessing the respective eligibility and interests; it draws up the trial protocol, provides the necessary guidance to the centres with regard to data processing and verifies compliance by the centres with both the protocol and the respective internal procedures. Although the sponsor does not collect any data directly, it does acquire the patients' data as collected by trial centres and processes those data in different ways (evaluating the information contained in the medical documents; receiving the data of adverse reactions; entering these data in the relevant database; performing statistical analyses to achieve the trial results).

The trial centre carries out the trial autonomously – albeit incompliance with the sponsor's guidelines; it provides the information notices to patients and obtains their consent as also related to processing of the data concerning them; it allows the sponsor's collaborators to access the patients' original medical documents to perform monitoring activities; and it handles and is responsible for the safe keeping of those documents.

Therefore, it appears that responsibilities are vested in the individual actors. Against this background, in this case both trial centres and sponsors make important determinations with regard to the way personal data relating to clinical trials are processed. Accordingly, they may be regarded as joint data controllers. The relation between the sponsor and the trial centres could be interpreted differently in those cases where the sponsor determines the purposes and the essential elements of the means and the researcher is left with a very narrow margin of manoeuvre.”

More recently, the Health Research Authority (HRA) in the UK has issued on April 19, 2018 a clarification on the definition of Controllers in the scope of clinical trials and it confirmed that in Clinical trials both Sponsor and Site are sole controllers for different purposes of the processing:

“It is the sponsor who determines what data is collected for the research study through the protocol, case report form and/or structured data fields in a database. The sponsor therefore acts as the controller in relation to the research data. In many cases, participants will be patients/service users and the same information may also be provided to the care organisation. The care organisation therefore acts as the controller in relation to the data provided for care purposes. This means that there may be two controllers for the same information – but for two different purposes.”

Clearly, there are two divided positions, one that sees Sponsor and Sites as Joint-Controllers and another that sees Sponsor and Sites as separate controllers for different purposes of the data processing.

It’s becoming more frequent to find Hospitals and Regulatory Authorities in European countries defending the independent controllership model. Here, parties defend an origin-based approach to the definition of Controller where each controller is responsible for the data it introduces in the system, meaning that for the purposes of the clinical trial, the Sponsor is responsible for the key-coded data they add into trial’s systems and the Sites are responsible for the named data they add into the medical care systems (e.g.: the medical history of the patient).

Contrarily, the joint-controllership position is based on the fact that it’s not possible to separate key-coded data from named data in a clinical trial, this means that the Sponsor and the Site would be seen as joint-controllers for both key-coded and named data processed for the trial. Such position raises concerns as it makes Sponsor jointly liable for the named data processed at Site (e.g. clinical trials results included in patient’s medical history).

At the end of the day, the decision of who is the Controller in a Clinical Trial is determined by the way personal data is processed. The key aspect, in my opinion, is how to determine which personal data is processed for the purposes of the trial. Can we actually separate key-coded data for the purposes of the research from named data for the purposes of medical care?

It seems that according to 29 WP on its Opinion no. 1/2010, when determining who is the controller of certain processing, we have to consider the “means” for the processing which not only refer to the technical ways of processing but also how processing is made, which includes questions like “which data is processed”, “which third parties shall have access to this data”, “when data shall be deleted”, etc.

To conclude, there’s no final position on this and it’s up to the Sponsors and the Sites to clarify in relevant documents such as contracts and informed consent forms, the Sponsor/Site relationship, nonetheless, it’s important to say that no matter what is included in the contract or agreed between the parties, the actual responsibility of a party as a Controller or a Processor is determined by the law and applied by the relevant supervisory authority in case of conflict, dispute or investigation, so it’s important to have a clear justification supported by strong and robust arguments (e.g. as part of the record of processing activities) regarding Sponsor’s position on the controllership model in a Clinical Trial, in case this is raised by any authority or parties involved.

DCA