Are Sponsors of clinical trials required to appoint a DPO?
In order to address this question we need first to understand the requirements for the appointment of a DPO. According to art. 37 of the GDPR, the designation of a DPO is an obligation if: (1) the processing is carried out by a public authority or body (irrespective of what data is being processed), (2) the core activities of the controller or the processor consist of processing operations, which require regular and systematic monitoring of data subjects on a large scale, (3) the core activities of the controller or the processor consist of processing on a large scale of special categories of data or personal data relating to criminal convictions and offences.
One of the most important criterions is to identify what is a core activity and here, according to the European Data Protection Board (EDPB) ‘Core activities’ can be considered as the key operations to achieve the controller’s or processor’s objectives. For pharma companies, clearly the core activities are the research, development, marketing and/or distribution of drugs, which specially on the research activities require the processing of special categories of personal data.
The question is now whether the processing of special categories of personal data fits the definition of large scale processing and here is where the majority of the questions arrive.
The GDPR does not define what constitutes large-scale processing, but the EDPB recommends that the following factors are considered when determining whether the processing is carried out on a large scale: a) the number of data subjects concerned - either as a specific number or as a proportion of the relevant population, b) the volume of data and/or the range of different data items being processed, c) the duration, or permanence, of the data processing activity, d) the geographical extent of the processing activity.
So what happens with small biopharma companies, that perform research as a core activity and hence, process special categories of personal data from EU citizens, but the number of data subjects concerned or the volume of data processed, is small? Would they still be required to appoint a DPO?
I have asked the question to ICO and I couldn´t obtain a satisfactory answer. The decision of appointing a DPO in such cases relies with the organization taking into account the EDPB guidance and GDPR.
Some aspects to take into account when taking the decision are:
Compliance with EU local laws
GDPR legal/compliance support when DPO is not appointed
Possibility of DPO designation on a voluntary basis, however GDPR obligations imposed to DPO would be mandatory
Regarding the compliance with EU local laws, even though the GDPR has direct applicability in all EU countries, the majority of EU countries have approved complementary legislation to the GDPR. Such legislation should be checked against art. 37 GDPR to see if anything included there would require an organization to appoint a DPO in the relevant country.
It is also important to ensure, even when the GDPR nor the local legislation requires the designation of a DPO, that the Controller/Processor, comply with the GDPR when processing personal data from EU citizens. So, even when such processing doesn´t fit the requirement of “large scale” the fact that there´s a processing of EU citizen´s data, the Controller/Processor need to have a good understanding of the obligations imposed by the GDPR to such processing. It´s easier to rely on the advisory of the DPO when organizations aren´t EU based and don´t have a deep knowledge of the EU laws, nevertheless, if a DPO is not appointed, companies should ensure they have legal/compliance support, either internal or external, so all the processing activities are GDPR compliant.
Lastly, there´s also the possibility of appointing a DPO on a voluntary basis, to fulfill the tasks under art. 39 GDPR, however when an organisation designates a DPO on a voluntary basis, GDPR requirements will apply to the DPO as if the designation had been mandatory, in particular the requirement to publish the contact details of the DPO and communicate them to the supervisory authority, under art. 37/7 GDPR and the requirement to add the contact details of the DPO to the privacy notice as per art. 13/1 b) and 14/1 b) of the GDPR, not to mention any other obligation as per local law.
To conclude, while big pharma companies may be considered to process large scale of special categories of personal data (considering their core activities, where they are located and the number of data subject´s concerned), small biopharma companies may not fit the requirement of appointing a DPO, nevertheless, the decision of not appointing one shall not only be documented, but organizations should create mechanisms to ensure compliance with EU privacy laws when processing data from EU individuals.
In this regard either organizations should have internal staff capable to fulfil tasks of the DPO under art. 39 or hire external legal support. If on another hand, organizations decide to appoint a DPO on a voluntary basis, organizations shall ensure that as part of the monitoring organization´s compliance with applicable laws, the DPO takes care of organization´s obligations as a Controller, specially the need to notify the identity and contact details of the DPO to the relevant supervisory authorities within the period established by the authorities.
As a last note, compliance with the GDPR and EU countries local laws is a continuous activity and should be concomitant to the processing activities of an organization. The more awareness organizations have on privacy implications the more successful is the privacy compliance program, so as an important task of the DPO or Privacy Counsel, is the awareness-raising and training of staff involved in processing operations, simply because privacy compliance cannot be performed by one individual but it needs to be a global effort of the entire organization.
DCA
