Transfer Impact Assessment in the scope of clinical trials – who should do it?
What is a Transfer Impact Assessment?
The requirement to perform a Transfer Impact Assessment (TIA) was introduced by the "Schrems II" ruling, where the Court of Justice of the European Union (CJEU) emphasized the responsibility of exporters and importers to ensure that personal data is processed, and continues to be processed, in compliance with the level of protection set by the EU data protection legislation, when transferred to third countries that were not granted with an adequacy decision issued by the European Commission.
In this regard, exporters relying on appropriate safeguards under art. 46 GDPR, to transfer personal data, are obliged to assess the level of protection in the third country of destination and the need to put in place additional safeguards – such assessment is commonly known as a Transfer Impact Assessment (TIA).
But who should perform such TIA in the scope of clinical trials?
In clinical trials we have four main players: Sponsor, Sites, Contract Research Organizations (CRO’s) and other service providers (study vendors).
Without mentioning Sites, as there are controversial positions regarding their role as exporters, (in my opinion they should be consider exporters only for indirect collections of data by the sponsor - e.g.: when site shares personal data previously collected for other purposes, with sponsor to use in research); it is fairly accepted within the industry that there’s a direct collection of personal data from the sponsor, who provides a transparent privacy notice to individuals on how personal data will be processed for the study; and a sharing of personal data (transfer) from the sponsor with the CRO who will conduct the clinical trial on behalf of the sponsor. In addition, when CRO contracts with study vendors to provide services for the study, CRO also shares data with these study vendors and if this sharing results in cross-border transfers, such transfers are consider onward transfers and must comply with same requirements as the initial transfers performed by the Sponsor.
This means that we have one initial transfer between the sponsor and CRO, in such cases, sponsor is the data exporter and the CRO is the data importer; but we also have a second transfer (or multiple transfers), so called onward transfers, between the CRO and study vendors, contracted directly be the CRO, to provide services for the clinical trial, in such scenario, the CRO is the data exporter and the study vendors are data importers.
This shows us that we cannot say that the responsibilities to perform a TIA in the scope of clinical trials relies solely on the Sponsor, as it will depend on who is the data exporter for the transfer.
Are importers required to collaborate in the performance of a TIA?
According to the “Schrems II” ruling, the court has stated and insisted that the data importer shall collaborate with the data exporter in the performance of the transfer impact assessment.
In addition, the Standard Contractual Clauses, as approved by the European Commission in June 4, 2021, impose the following obligations to both exporter and importer, regarding the performance of a TIA:
To both data exporter and importer: to declare they have no reason to believe that the laws and practices in the third country of destination prevent the data importer from fulfilling its obligations under the Clauses
To both data exporter and importer: to perform an assessment to the specific circumstances of the transfer, the laws and practices of the third country of destination, and to any relevant contractual, technical or organizational safeguards put in place to supplement the safeguards under the Clauses
To data importer: to provide the data exporter with relevant information and to cooperate with the data exporter in ensuring compliance with the Clauses
To both data exporter and data importer: to document the assessment performed and make it available to the competent supervisory authority on request
Recently, the French Data Protection Authority (CNIL) has highlighted the importance of the data importer’s role in the performance of a TIA, since importers have relevant information to perform the assessment, which makes its cooperation with exporters essential for the performance of the TIA.
The CNIL has even mentioned that in the context of a relationship between a controller and a processor, the transmission of this information to the controller by the processor is part of the latter's obligations under Article 28 of the GDPR, and in particular under Article 28(3)(h) and that the transmission by the processor of a simple conclusion or an executive summary of its assessment, without the provision of concrete information on the legislation of the third country and the practices of the authorities, as well as on the circumstances of the transfer, does not enable the processor to fulfil its obligations under Article 28 of the GDPR.
Conclusion:
In the scope of clinical trials and in the context of cross-border transfers between the sponsor and the CRO, since there’s a relationship “controller-processor” between the parties, sponsor should request the CRO to provide a complete assessment on the legislation of the third country and the practices of the authorities, as well as on the circumstances of the transfer, to facilitate the performance of a TIA by the sponsor.
The CRO is also required to perform a TIA when sharing data with other study vendors (sub-processors) and sponsor is entitled to receive such TIA as part of its audit rights under art. 28 GDPR, considering processors are required to ensure compliance with Chapter V GDPR for onward transfers.
To conclude, it is fair to say that both Sponsor and CRO shall perform a TIA in the scope of clinical trials and shall share information on the assessment among them. It is also relevant to mention that a TIA is not a static document and that any changes to the legislation may result in the need to update the TIA, and when both exporter and importer consider that the rights and freedoms of the individuals are no longer respected in the recipient country, due to a change of legislation or political conjuncture, exporter may suspend or cancel the transfers if no supplementary measures are implemented to ensure data receives a fair and equivalent treatment in the recipient country.
Diana Andrade
Founder & Managing Director at RD Privacy
